VMware Networking Community
neel_mani
Contributor
Contributor
‎10-15-2017 07:02 AM
Jump to solution

ESXi host not able to log to the syslog server.

Folks,

Our ESXi host is just not able to reach the syslog server after all the configuration done. We have done the configuration based on this URL:

Configuring syslog on ESXi (2003322) | VMware KB

The command "nc -z a.b.c.d 514" works fine and the syslog server is being reached. However, the log messages do not go to the syslog server.

Now, from the above link the "Configuring Local and Remote logging using Host Profiles " section has not been done as it does not seem to be needed.

Please let us know if anyone has any thoughts/comments on this.

Thanks!!

N.

1 Solution

Accepted Solutions
bayupw
Leadership
Leadership
‎10-15-2017 06:59 PM
Jump to solution

Hi

On that KB, there is an additional information on the firewall, have you configure that part?

Additional Information

Configuring ESXi Firewall Exception using the esxcli command

Note: You may need to manually open the Firewall rule set for syslog when redirecting logs. For UDP traffic, this firewall rule has no effect in ESXi 5.0 build 456551 and the UDP port 514 traffic flows regardless.

To open outbound traffic through the ESXi Firewall on UDP port 514 and TCP ports 514 and 1514, run these commands:

esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true
esxcli network firewall refresh

2 things that you may want to double check (if you are going to check from UI):

1. Syslog configuration

pastedImage_0.png

pastedImage_1.png

2. Security Profile/Firewall

pastedImage_2.png

If you have vRealize Log Insight, it can configure the syslog for you to forward to Log Insight.

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw

View solution in original post

7 Replies
daphnissov
Immortal
Immortal
‎10-15-2017 07:18 AM
Jump to solution

And you made sure to enable the outgoing firewall rule in ESXi on UDP 514? If so, post a screenshot of your syslog.* advanced settings for review. Also state what version of ESXi you have (including build).

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
0 Kudos
neel_mani
Contributor
Contributor
‎10-15-2017 09:12 AM
Jump to solution

We are running VMware ESXi, 5.5.0, 2068190 version. Can you provide some pointers on where to check the outgoing port being enabled?

I believe you mean security profile, right?

I have attached all the screen shots which can show the syslog part.

Thanks. Smiley Happy

Preview file
68 KB
Preview file
62 KB
Preview file
81 KB
Preview file
68 KB
Preview file
78 KB
0 Kudos
neel_mani
Contributor
Contributor
‎10-15-2017 09:17 AM
Jump to solution

I have another screen shot of the syslog deamon, could this be the issue?

Preview file
18 KB
0 Kudos
daphnissov
Immortal
Immortal
‎10-15-2017 09:40 AM
Jump to solution

Yes, check the security profile on the Outgoing Connections pane. There was also a known issue whereby logs would stop being sent by the daemon if a network interruption occurred. Follow steps in this KB especially esxcli system syslog reload. Your global log host is using TCP and not UDP, so are you sure  your syslog server supports ingestion via TCP? Some do not, so something to check. Also, are you aware how incredibly outdated you are on patches, even for 5.5? You're more than three years outdated.

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
0 Kudos
bayupw
Leadership
Leadership
‎10-15-2017 06:59 PM
Jump to solution

Hi

On that KB, there is an additional information on the firewall, have you configure that part?

Additional Information

Configuring ESXi Firewall Exception using the esxcli command

Note: You may need to manually open the Firewall rule set for syslog when redirecting logs. For UDP traffic, this firewall rule has no effect in ESXi 5.0 build 456551 and the UDP port 514 traffic flows regardless.

To open outbound traffic through the ESXi Firewall on UDP port 514 and TCP ports 514 and 1514, run these commands:

esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true
esxcli network firewall refresh

2 things that you may want to double check (if you are going to check from UI):

1. Syslog configuration

pastedImage_0.png

pastedImage_1.png

2. Security Profile/Firewall

pastedImage_2.png

If you have vRealize Log Insight, it can configure the syslog for you to forward to Log Insight.

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw
neel_mani
Contributor
Contributor
‎10-15-2017 08:23 PM
Jump to solution

Under the Security Profile I do not see Syslog server as you have mentioned in the earlier 2 screenshots. 😞

Is this due to the ESXi version which 5.5?

0 Kudos
amolnjadhav
Enthusiast
Enthusiast
‎10-16-2017 06:10 AM
Jump to solution

Hi Neel,

   Try below steps if you don't see any configuration issue on ESX Server.

   I am suspecting the issue with your syslog server configuration..

    1. Is it possible you to capture traffic on syslog server using tcpdump -i <Interface_Name> ?

    2. May i ask you which syslog server you are using? Is it linux based syslog server ?? if Yes do check permission on folder level try this command chmod 777 /syslog_folder_path/

Please consider marking this answer "correct" or "helpful" if you think your query have been answered correctly. Regards Amol Jadhav VCP NSXT | VCP NSXV | VCIX6-NV | VCAP-DCA | CCNA | CCNP - BSCI